Unable to establish remote access VPN connection from behind ASA

Hi,

We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:

"Secure VPN Connection terminated locally by the client.

Reason 412: The remote peer is no longer responding.

They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?

Re: Unable to establish remote access VPN connection from behind

Hi,

I have not received any other complaints regarding the internet connection so apart from this issue, everything seems fine.

I got someone at Site-B to connect the internet link direct from the ISP modem to his laptop and check and the vpn client was able to connect. So the packets are not able to go out from the Site-B ASA 5515-X itself. The Site-A public IP is reachable from behind the Site-B. ASA. I was under the impression that all outbound connections are allowed by default. Could the NAT config be causing problems?

Re: Unable to establish remote access VPN connection from behind

Hi,

Sorry thats an older config backup, where E0/1 was configured for a backup internet link. I edited it to reflect the new config. The sec level is set to 100 already. Any other ideas? I read something about NAT-traversal but not sure if it applies in my case.

Re: Unable to establish remote access VPN connection from behind

Yes, users at Site-B are behind the 5515-X ASA whos config I have posted, so inside to outside. Right now I have applied the following permit rule on the Site-B 5515-X outside interface in inbound direction and I'm able to connect. But not sure if this is the recommended approach to the problem.

Re: Unable to establish remote access VPN connection from behind

Hmm... inbound rule solved the pbm. good to hear that problem is solved. But for your query. Yes VPN sometimes requires two way rules. I faced the similar problem few years ago. That y i insist you to have the rules in place to verify.

Re: Unable to establish remote access VPN connection from behind

Hi, Everyone,

I get similar configurations to Kunal and very similar problem for outbound VPN connections. The difference is we are using PIX 535, Firmware 8.0.4, our site is the main office, we have IPSec VPN server here and it's been working for long time--- VPN client 4.x and 5.x can connect to our site from outsite, but we can't use VPN Client or QuickVPN connect to our other offices ( they use PIX515E or something like Cisco WSVS4400N IPsec VPN). Here almost all networking services are fine: including internet connections /exchange servers etc, inbond or outbound. VPN outgoing connection is the only problem we are having so far. Below are some disgnosis I have done so far:

#1---the branch office VPN server is working, verified by connections from my home PCs, which uses the cheap Linksys router with default settings

#2---the branch office IP is reachable from our main office

#3---when I use QuickVPN to connect to branch office from main office, the first stage connection is fine, saying something like "server's certificate doesn't exist on your local computer, do you want quit the connection?", I chose go No, then it goes through --active policy, verify network... all are fine until last step it says "the remote gateway is not responding, do you want to wait"

#4: I added similar rule for incoming connections: access-list 101 line 2 extended permit udp any any and other things suggested here like nat-travesal.... nothing works so far.

#5: I can't find any log info about the VPN connections on our pix log file ( which is using Unix Syslog and very verbal)

I know I may need start a new dicussion, I just thought my problem is very similar to Kunal's.

Unable to establish remote access VPN connection from behind ASA

Thnak you very much Karthikeyan,

Outgoing traffic for ports 443,60443,500 &4500 from main office PC to branch office router is allowed, verified by Packet Tracer; Incoming UDP is DENIED even if I put a rule to allow any host to have Incoming UDP traffic because of Dynamic NAT configurations---- all PCs here except servers are mapped to our gateway IP by dynamic NAT , the packet tracer saying this way (NAT with X mark ): Inside PCs are "dynamic translation to pool 10 (70.169.X.X) ([interface PAT])", which means there is no way for outside host initiates a connection unless I do static NAT mapping.(not feasible here).

I also tried > conf t

> fixup protocol ipsec-pass-thru

the CLI says error, I can see it has about 15 choices like ftp, http but ipsec-pass-thru is NOT valid choice, I don't know how to add IPSEC-pass-thru as one of the protocols by fixup.

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more